Wireless networks for small businesses by their nature have additional vulnerabilities to hard-wired networks. This should be kept in mind when deciding about technology for a business. The practical necessity and benefits should be carefully weighed against the added risk of compromise that a hurried wireless installation can pose. If a network is unsecured, it is quite simple for a hacker to park within range of the signal and enter. If it’s decided that WiFi capability is needed for guests or visitors to a premises (as is now the case with many businesses), then is is best to sub-net this to safely separate it from all other network resources. This can be configured to require the visitor to go through a firewalled connection, and to pass through a gate which verifies that the guest device has AV protection before connection is allowed.
One solution to enabling guests a wireless network is to purchase a separate, cheap plug-and-play router which will solve the immediate problem, though there is still the question of the integral business network with critical data stored on it. If a system’s file-shares are mapped remotely, then the implications can be catastrophic. Ransomware alone accounted for around 45% of its victims last year in the small-to-medium-sized business range, each paying an average of between $8-9,000 U.S (and some a great deal more).
Finding a balance between a functional, user-friendly wireless network that is at the same time safe for the business is the challenge. Here are some questions to ask when assessing the vulnerability of a wireless network:
- Does the network operate on its own VLAN (vitual local area network)?
- Are sensitive files inaccessible to visitors via WiFi?
- Is the WiFi router physically accessible to to anyone other than staff?
- Is the WiFi password changed regularly?
- Has a MAC (Media Access Control) address whitelist been enabled?
If the answer to any of the above questions is NO, there is a vulnerability to attack in the network.
Most modern WiFi access points provide WPA2 encryption. This should always be selected to prevent packet-sniffing and so, key decryption. The older keys such as WPA and WEP should be avoided as glaring vulnerabilities. This may prevent access by key decryption, though on its own it is not enough because of conventional password theft or sharing.
Ways to harden a WiFi networking:
- Hide the SSID. The Service Set Identifier is the name of the network, this can be hidden so that only devices that know the name can log in;
- Change the router’s default Username and Password. These are usually defaulted to Admin and Password when new. If these aren’t changed, then a trespasser can simply log in and make the changes they want to configurations in Administrator capacity;
- Update firmware regularly. Note the make and model of a router and search for newer versions. A Google Alert can be set up to inform users when a new version is available;
- Set up MAC (Media Access Control) whitelisting for users. This is a unique ID for each device to use the network. While this is ultimately crack/spoofable, it is an ingredient that can deter casual hacks. This can be automated to incorporate the above checks such as AV software on the user device;
- Use a firewall. Many higher-end routers come with integral firewalls that also allow content filtering options, such as Cisco and SonicWALL;
- Create access windows. If the network is not going to be used outside trading hours, configure to shut down – or if the router is plug-and-play – unplug it before leaving the office. This will close an attacker’s out-of-hours window;
Hire a Pen Tester (Penetration Tester) to run through the system and highlight any flaws.
It should be remembered that hardening a WiFi network is an on-going job that should be kept on top of.